The following security improvements on Mac OS X Yosemite have not been publicized previously, and I feel they are rather important. This post is dedicated to the security improvements I have noticed on OS X Yosemite, as well as recent iCloud security updates that are more than welcome. Anybody who is concerned with privacy and security will definitely welcome these changes.
- OS X now asks users to setup FileVault 2 encryption upon setup. FileVault 2 is an excellent Whole-Disk-Encryption solution that has bene built in by Apple since OS X Lion - only now is it brought front and center to the setup interface. The downside is the setup process also defaults to allowing a computer to be unlocked with an AppleID and password. PLEASE DISABLE UNLOCKING BY APPLEID AND DISABLE THE ENCRYPTION BACKUP WITH APPLEID
- For a while now, Find My iPhone has given Mac users the ability to remotely lock and/or wipe their Macs. A four digit code could be chosen that would be required to reactivate the Mac for use once it has been recovered. A fatal flaw has existed in this method, allowing the the code to be easily brute forced (see here) with the right tool. The tool would restart the Mac (which would clear the memory of attempts, and the time limit disabling the Mac) every so often. The time limit and number of attempts is now persistently stored - it is now infeasible to brute force a remotely locked Mac. HOWEVER - I recommend setting a secure firmware password to begin with, for extra security.
- An update to Apple’s web services now enables Two-Factor authentication for iCloud and all other aspects of an AppleID that were not previously protected. The only exception to 2FA is now “Find My iPhone”, so you will still definitely want to set a secure password for your AppleID. In early implementations, it was possible to brute-force Apple’s 4-digit 2FA tokens. THIS IS NO LONGER POSSIBLE, YOU WILL BE LOCKED OUT FOR 8 HOURS AFTER 10 ATTEMPTS.
Out of all the changes Apple has made to OS X, iOS, and iCloud - these security enhancements are my favorite and are greatly welcomed - it’s ashame nobody has reported on them yet.